Re: [squid-users] Allow MSN messenger

From: David Touzeau <david_at_touzeau.eu>
Date: Tue, 08 Feb 2011 20:44:20 +0100

Le mardi 08 février 2011 à 13:35 -0500, Chad Naugle a écrit :
> Which all looks ok, but is there an "http_access" that allows anything
> other than the "CONNECT" method, such as:
>
> http_access allow MSN_hosts
> http_access allow MSN_domains
> http_access allow MSN_net
>
> Not to mention any other sites / hosts / ports (Such as port 80) before
> the "http_access deny all", because whenever stacking ACL's there is an
> implied "AND" operator, so each line only works like this:
>
> "Method is CONNECT" AND "Ports" AND "Destination is <list>"
>
> Otherwise DENY ALL is the likely culprit.
>
>
> >>> David Touzeau <david_at_touzeau.eu> 2/8/2011 1:22 PM >>>
>
> Dear i Use squid 3.1.10 and i would like to allow MSN messenger pass
> trough squid
>
> According wikis i did this :
>
> # Permit MSN
> acl MSN_ports port 1863 443 1503
> acl MSN_domains
> dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com
> .passport.com
> acl MSN_hosts dstdomain messenger.hotmail.com
> acl MSN_nets dst 207.46.111.0/255.255.255.0
> acl MSN_methods method CONNECT
>
>
> http_access allow MSN_methods MSN_ports MSN_hosts
> http_access allow MSN_methods MSN_ports MSN_domains
> http_access allow MSN_methods MSN_ports MSN_net
>
> But MSN still did want to connect with these errors:
>
> 192.168.82.173 - - [08/Feb/2011:10:48:38 -04-30] "POST
> http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
> 1662 TCP_MISS:DIRECT
> 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST
> http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
> 1662 TCP_MISS:DIRECT
> 192.168.82.173 - - [08/Feb/2011:10:48:39 -04-30] "POST
> http://www.sqm.microsoft.com/sqm/messenger/sqmserver.dll HTTP/1.1" 403
> 1662 TCP_MISS:DIRECT
>
> Where i'm wrong ??
>
> Best regards
>
>
>

This is the entire content of the squid.conf if you see something wrong,
let me know....

acl localhost src 127.0.0.1/32
acl to_localhost dst 127.0.0.1/32
acl manager proto cache_object
auth_param basic credentialsttl 2 hour
authenticate_ttl 1 hour
authenticate_ip_ttl 60 seconds
#--------- TWEEKS PERFORMANCES
# http://blog.last.fm/2007/08/30/squid-optimization-guide
memory_pools off
quick_abort_min 0 KB
quick_abort_max 0 KB
log_icp_queries off
client_db off
buffered_logs on
half_closed_clients off

#--------- squidGard

#IS C-ICAP enabled = 1
redirect_program /usr/bin/squidGuard
redirect_children 20

#--------- SQUID PARENTS (feature not enabled)

#--------- acls
acl blockedsites url_regex "/etc/squid3/squid-block.acl"
acl CONNECT method CONNECT
acl purge method PURGE
acl FTP proto FTP
acl multimedia_rep rep_mime_type -i ^video/x-ms-asf$
acl multimedia_rep rep_mime_type -i ^application/vnd.ms.wms-hdr.asfv1$
acl multimedia_rep rep_mime_type -i ^application/x-mms-framed$
acl multimedia_rep rep_mime_type -i ^image/
acl multimedia_rep rep_mime_type -i ^video
acl multimedia_rep rep_mime_type -i ^audio
acl multimedia_rep rep_mime_type -i ^application/x-dvi$
acl multimedia_rep rep_mime_type -i ^application/x-isoview
acl multimedia_browsers browser -i ^Windows-Media-Player.* -i
^.*player.*
acl bigfiles_types urlpath_regex -i \.deb$
acl bigfiles_types urlpath_regex -i \.rpm$
acl bigfiles_types urlpath_regex -i \.iso$
acl bigfiles_types urlpath_regex -i \.tar\.gz$
acl bigfiles_types urlpath_regex -i \.gz$
acl bigfiles_types urlpath_regex -i \.bz$
acl bigfiles_types urlpath_regex -i \.tar$
acl bigfiles_types urlpath_regex -i \.cue$
acl bigfiles_types urlpath_regex -i \.nrg$
acl bigfiles_types urlpath_regex -i \.crf$
acl bigfiles_types urlpath_regex -i \.bwi$
acl bigfiles_types urlpath_regex -i \.bwt$
acl bigfiles_types urlpath_regex -i \.lcd$
acl bigfiles_types urlpath_regex -i \.ccd$
acl bigfiles_types urlpath_regex -i \.mdf$
acl bigfiles_types urlpath_regex -i \.mds$
acl bigfiles_types urlpath_regex -i \.vcd$
acl bigfiles_types urlpath_regex -i \.cif$
acl bigfiles_types urlpath_regex -i \.vdi$
acl bigfiles_types urlpath_regex -i \.img$

acl office_network src 192.168.82.0/24

#--------- MAIN RULES...
always_direct allow FTP
# --------- SAFE ports
acl Safe_ports port 1443 #FortiPartner
acl Safe_ports port 80 #http
acl Safe_ports port 443 #https
acl Safe_ports port 21 #ftp
acl Safe_ports port 1863 #MSN
acl Safe_ports port 20 #ftp-data#
acl SSL_ports port 9000 #Artica
acl SSL_ports port 443 #HTTPS
acl SSL_ports port 563 #https, snews
acl SSL_ports port 6667 #tchat
acl SSL_ports port 4343 #FortiGate

# Permit MSN
acl MSN_ports port 1863 443 1503
acl MSN_domains
dstdomain .microsoft.com .hotmail.com .live.com .msft.net .msn.com .passport.com
acl MSN_hosts dstdomain messenger.hotmail.com
acl MSN_nets dst 207.46.111.0/255.255.255.0
acl MSN_methods method CONNECT

acl MULTIMEDIA rep_mime_type -i ^(audio\/x-mpegurl|audio\/mpeg|video
\/flv|video\/x-flv|application\/x-shockwave-flash|audio\/ogg|video\/ogg|
application\/ogg)
$

# --------- RULES DEFINITIONS
http_access deny blockedsites
http_access allow MSN_methods MSN_ports MSN_hosts
http_access allow MSN_methods MSN_ports MSN_domains
http_access allow MSN_methods MSN_ports MSN_nets
http_access allow localhost
http_access allow manager localhost
ttp_access allow purge localhost
http_access deny purge
url_rewrite_access deny localhost
http_access deny !Safe_ports
http_access deny CONNECT !SSL_ports
http_access allow office_network
http_access deny to_localhost
http_access deny all
# --------- ICAP Services.(1 service(s))
# --------- icap_service C-ICAP mode 3.1.x
icap_service service_antivir respmod_precache routing=on bypass=on
icap://127.0.0.1:1345/srv_clamav

# --------- adaptation for C-ICAP service

adaptation_service_set class_antivirus service_antivir
adaptation_access class_antivirus deny MULTIMEDIA
adaptation_access class_antivirus allow all

icap_enable on
icap_preview_size 128
icap_service_failure_limit -1
icap_preview_enable on
icap_send_client_ip on
icap_send_client_username on
icap_client_username_header X-Authenticated-User
icap_client_username_encode on

# --------- ident_lookup_access
hierarchy_stoplist cgi-bin ?

# --------- General settings
visible_hostname proxyweb

# --------- time-out
dead_peer_timeout 10 seconds
dns_timeout 2 minutes
connect_timeout 1600 seconds
persistent_request_timeout 3 minutes
pconn_timeout 1600 seconds

# --------- Objects limits
request_body_max_size 5 MB
request_header_max_size 64 KB
maximum_object_size 300 MB
minimum_object_size 0 KB
maximum_object_size_in_memory 8 KB

#http/https ports
http_port 3128 ssl-bump cert=/etc/squid3/ssl/cacert.pem
key=/etc/squid3/ssl/privkey.pem

# --------- SSL Rules
ssl_bump allow all
always_direct allow all

# --------- Caches
cache_effective_user squid
cache_effective_group squid
#cache_replacement_policy heap LFUDA
cache_mem 204 MB
cache_swap_high 90
cache_swap_low 95
# --------- DNS and ip caches
ipcache_size 51200
ipcache_low 90
ipcache_high 95
fqdncache_size 51200

# --------- SPECIFIC DNS SERVERS
dns_nameservers 192.168.82.2

#--------- FTP specific parameters
ftp_list_width 50
ftp_passive on
ftp_sanitycheck off
ftp_epsv off
ftp_epsv_all off
ftp_telnet_protocol off

debug_options ALL,1
refresh_pattern ^ftp: 1440 20% 10080
refresh_pattern ^gopher: 1440 0% 1440
refresh_pattern . 0 20% 4320
icp_port 3130

Logs-------------------------------------------------
#fqdn is disabled to provide IP addresses to filters
log_fqdn off
coredump_dir /var/squid/cache
cache_store_log /var/log/squid/store.log
cache_log /var/log/squid/cache.log
pid_filename /var/run/squid.pid
access_log none manager
access_log /var/log/squid/access.log common
access_log /var/log/squid/sarg.log squid
icap_log /var/log/squid/icap_access.log

cache_dir ufs /var/cache/squid 20000 16 256
# --------- OTHER CACHES
Received on Tue Feb 08 2011 - 19:44:32 MST

This archive was generated by hypermail 2.2.0 : Wed Feb 09 2011 - 12:00:02 MST